Posted by Justin Koivisto on 02/11/06 03:23

Skeets wrote:
> btw, i use bind variables when i'm inputting fuser orm information into
> my db (postgresql). adodb's db abstraction layer (very good, btw) has
> a pretty nice implementation. using bind variables means you don't
> have to escape everything prior to submission and sql injection becomes
> a non issue. if it is bad data, it doesn't get submitted, as i
> understand it.
>
> i posted this in another reply, but i'm not sure you will read it.
>
> is this spoofable (i do use apache)?
>
> $host=apache_request_headers();
> if(!eregi('domain.com',$host[Referer])){
> // good submission, do something
> }else{
> //bad submission, don't do anything
> }

The referrer is one of the easiest headers to forge. There are even
browser plug-ins for browsers like Firefox that allow you to send
whatever you want as the UA or referrer. In fact, wget and curl allow
you to write your own as well.

• Next in forum: Re: PHP Detects Browser, Then Replaces Images/Code/CSS
• Prev in forum: PHP Detects Browser, Then Replaces Images/Code/CSS
• Thread view: Re: PHP Passing Variables Between Pages and Security

[Reply to this message]